High-Confidence Cobalt Strike Command Infrastructure Detected Targeting Enterprise Networks

Security monitoring identifies a new command-and-control endpoint linked to one of the most widely abused post-exploitation frameworks.

Malicious Command Server Identified

Threat intelligence monitoring has detected a new command-and-control (C2) infrastructure associated with Cobalt Strike, a powerful adversary simulation tool frequently weaponized by threat actors.

Security analysts flagged the following indicator as malicious:

• IOC: 43.249.175.87:39816
• Threat Type: Botnet Command-and-Control
• Confidence Level: High (100%)
• ASN: AS138415 YANCYLIMITED-AS-HK
• Country Association: Hong Kong
• First Observed: February 5, 2026

Researchers confirmed the detection through infrastructure scanning telemetry and threat intelligence correlation. Analysts have not yet verified whether the hosting server itself is compromised. However, the infrastructure shows strong indicators of active malicious use.

Why Cobalt Strike Remains a Major Threat

Cobalt Strike was originally designed as a legitimate red team testing platform. However, cybercriminal groups and advanced threat actors frequently weaponize its Beacon payloads for real-world attacks.

Once deployed, attackers use Cobalt Strike to:

• Establish persistent remote access
• Move laterally across corporate networks
• Escalate privileges
• Execute ransomware payloads
• Exfiltrate sensitive enterprise data

Many large ransomware campaigns have historically relied on Cobalt Strike during early intrusion stages.

Infrastructure Signals and Campaign Indicators

Security telemetry linked the identified infrastructure to AS138415. Previous threat mapping shows that adversaries often leverage fast-rotating hosting providers to hide malicious infrastructure.

The identified port suggests customized Beacon communication channels. Attackers commonly change ports and encryption layers to bypass network detection controls. Early IOC detection therefore plays a critical role in disrupting attacker operations.

Defensive Measures Organizations Should Activate

Security teams should immediately investigate outbound network traffic for connections to the identified IP and port. Monitoring abnormal encrypted traffic patterns often exposes hidden beacon activity.

Organizations should also:

• Block the IOC across firewalls and EDR platforms
• Review endpoint telemetry for suspicious process injections
• Monitor privileged account activity for anomalies
• Strengthen detection rules for post-exploitation frameworks
• Conduct threat hunting across network logs and memory artifacts

Rapid containment significantly reduces the risk of ransomware deployment and long-term network persistence. Continuous monitoring remains essential because attackers frequently rotate infrastructure to evade detection.